Liberty identity specs released

Secure data exchange standard launched

The Liberty Alliance, a consortium of users and vendors developing identity standards, has released a set of specifications that define new ways for clients to present identity information.

The Advanced Client specification is designed to make clients smarter by allowing them to store identity credentials locally inside a trusted module, and then present them for authorisation to access services or a network without requiring those credentials be validated each time by an outside identity service provider.

The model is similar to those employed by user-centric identity systems such as OpenID and Microsoft's CardSpace technology that shipped with Windows Vista.

The Application Client specification is built off of the Liberty Alliance's current ID-Web Service Framework 2.0 specification, which includes mechanisms that define the exchange of identity data.

"In a normal federated identity relationship the credential is presented by the identity provider, say a bank or financial institution," said Roger Sullivan, president of the Liberty Alliance management board and vice president of Oracle identity management. "But in this instance the credentials can be provisioned to a trusted module in the device and the credential can be presented to the service provider in the same circle of trust as before without having the identity provider in the loop. It gives more functionality and flexibility to that device."

Sullivan said the specification could be applied to devices such as cameras, handhelds, laptops, printers, smart cards and televisions. He gave the example of a projector in a cinema that could be authenticated to download a digital movie, show the film and then be blocked from showing it again.

"You could create a much more authenticated mechanism for controlling the distribution of digital film," Sullivan said.

The set of Advance Client specifications, which are currently in a technical draft, includes secure provisioning mechanisms, support for any device/network functionality and online/offline capabilities. The Liberty Alliance plans to do interoperability testing in the next couple on months. Intel, HP and BT provided a proof of concept model at this year's RSA Conference.

Liberty officials say the Advanced Client is the second of three phases of delivering identity capabilities to client devices. The first was the Liberty Enabled Client/Proxy. The third phase, which is under development, is the Robust Client, which will support trusted digital identity relationships, mobility modules and provide a platform for facilitating client-based universal strong authentication.